05-20-2009 04:27 PM - edited 03-11-2019 08:34 AM
Hello All,
I have a public IP and port (1.1.1.1:80) that is translated to a private IP:
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
The ACL applied inbound on the outside interface permits any hosts to 1.1.1.1:80.
My question is can I policy translate the destination IP:port from outside clients that match specified subnets? (ie: hosts coming from 2.2.2.0/8 to 1.1.1.1:80 are translated to 1.1.1.2:81) ?
(and any necessary static and ACL additions would be performed).
Thanks,
Christopher
Solved! Go to Solution.
05-21-2009 11:23 AM
After reading, trying and remembering, the answer is:
NO, you can't map a ip:port to two different ip:port destinations
If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.
05-21-2009 12:59 AM
I dont understand why you would want to do this if both public IPs are in the same range?
if they are then just have a static nat to 1.1.1.2:81 and limit access to it with an acl?
05-22-2009 03:12 PM
Basically, the public IP is advertised in DNS, and could be hard-coded in an application. However, depending on the client source IP, they may need to be serviced by a different backend server.
05-21-2009 10:01 AM
I don't understand.
Do you need that clients from 2.2.2.0 be mapped to 192.168.1.1 and clients from 3.3.3.0 mapped to 192.168.1.22 for example?
05-21-2009 10:10 AM
Yes, that's basically it. Both sets of clients would attempt to connect to 1.1.1.1:80 (for example), but their true destination IP:port would be decided based on their source IP. Does that help clarify?
05-21-2009 10:12 AM
I am preparing the lab, if the phone doesn't ring, I will tell you my results in a few hours.
05-21-2009 11:23 AM
After reading, trying and remembering, the answer is:
NO, you can't map a ip:port to two different ip:port destinations
If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.
05-21-2009 03:13 PM
Thanks. I did some basic reading/trying and couldn't see it happening, but it was an odd case and you never know...
05-21-2009 03:18 PM
This kind of policy nat and balanced internet connection are two of the most important ASA missing features.
Thanks 4 rating
05-22-2009 12:19 AM
the solution to your problem is to use checkpoint :-)
05-22-2009 08:06 AM
Oh OK :)
We could perform this stuff post-ASA (ie: on an F5 BIG-IP), but that equipment isn't in place at the moment. I was hoping that the ASA a couple more features than the thousands it already possessed!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: